[Dave Birch] I’ve was at a seminar discussing card payments in the Middle East recently. A couple of the banks there were talking about how simple and effective transaction notification by text or e-mail has been for them, so I was wondering why my bank don’t offer it to me in the UK.

Technorati Tags: , ,

In a number of countries — Hungary, Lebanon, India and so on — banks offer a simple text message notification service and it seems to be pretty effective at cutting card fraud. When your card is used above a certain threshold (say 5 euros) then your issuer automatically sends you a post-authorisation text message containing the transaction details. If you’re sitting in your office and you suddenly get a text message concerning the purchase of a plasma TV in Ulan Batur, then you might be tempted to call the toll-free fraud helpline. It seems like a very simple and efficient mechanism for fraud reduction.

I can see a problem with it, though. Wouldn’t phishers be happy to pay 10 cents or whatever to send out a convincing text message: “if you didn’t just buy a new car in Botswana, call this number” and then when you call the number “Can I have your account number, password, mother’s maiden name” etc. Is this a realistic threat? After all, you could argue that one of the reasons why phishing is so prevalent is that e-mail is free, so the cost-benefit analysis tips heavily in favour of the bad guy. Text message isn’t encrypted or authenticated — that’s why for the M-PESA scheme in Kenya we had to design encryption and authentication into the SIM Toolkit application — so banks are right to wary about using it for certain kinds of services.

It would seem to be even cheaper, wouldn’t it, to send out the post-authorisation confirmations by e-mail but I’m not so sure about using e-mail in the same context for the same reasons. Until the banks have a working digital signature infrastructure, an e-mail notification service would attract phishers like flies. Actually, even with a digital signature service it would still attract phishers like flies.

My opinions are my own (I think) and are presented solely in my capacity as an interested member of the general public [posted with ecto]

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: